From patchwork Fri Mar 10 08:53:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 67289 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp766458wrd; Fri, 10 Mar 2023 01:16:09 -0800 (PST) X-Google-Smtp-Source: AK7set/H6VL4tfMnZLoCjLiQ8PBL5ecULKsej3Ipna8sRoUIPDZ14ms3XK5i7Q25M2j3/Tw6yATe X-Received: by 2002:a17:902:e5d0:b0:19d:1bbb:3547 with SMTP id u16-20020a170902e5d000b0019d1bbb3547mr29414005plf.43.1678439768953; Fri, 10 Mar 2023 01:16:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678439768; cv=none; d=google.com; s=arc-20160816; b=QcIWJ9SL71m09LRHbmnX/rQ/xkR/jrMRBOMmbpsPtdlZsygxTU8LczdACAFX+IsonP B5Y1FgoGwOuCsnMbUHTDqS4Quw/1Oimuovt84cnIxb7t8EbtQO352XHhZjLsuU856qNf ztzUh4wbXHDyScq8XgXDoDPETc5U8Bf4CQsookgz7OFUAOTLBCH+MoxujO/YGvAIBTWp 7JUP+yZb9CcrrPZRDUL3T11c5xx1G6geuM/ReTU6bXn/m+laDP88Dx+SsPtSoEVo+hvy 3Hfg3DXDRGMZYMGJRYIAQOeDxC/49n/sBu4Up+PzL9n+K71CnBJ3n7INcDf4TStoGmpj bIqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=jMzg5QRfTu8ZwwHW1T67+BlqXk4KNRz45JoIKhEVgYA=; b=BbyS2aMRVlW4mylV26Mn1p8sZhZN47uAl6/6VzhFwe7/LzQfH9rEGPiesBkjO5voue Bj4l6SLccgmFLYyB3Xc1x/UBXkt2Q8ZZ59BT+47bvHhVn0ecGQXIHKaW6/V7b9gN1FhH MxdGxtl7mtoeHunKueaFiq9pQjrSU9WHSMeqnhgHeZxcG4qlmuay3T1NOvsIh/jSk6F2 WBDe92H8MQwazyPdRLj0h9aTP33vsO1NM7gmQ9TuecGMEgB/uBjBeZg/fM7pG19tvziw 7t3sGdhJMKY/89Ee98QnJC+i7vERTT73C8K1eOmA7EkBfhohNFReTn4gKp4dIGhrJvmn TqNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jh3-20020a170903328300b0019ca5ddf22dsi1663869plb.365.2023.03.10.01.15.56; Fri, 10 Mar 2023 01:16:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230247AbjCJJBy (ORCPT + 99 others); Fri, 10 Mar 2023 04:01:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58662 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231394AbjCJJA4 (ORCPT ); Fri, 10 Mar 2023 04:00:56 -0500 Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com [14.137.139.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4218E104910; Fri, 10 Mar 2023 00:54:44 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.227]) by frasgout12.his.huawei.com (SkyGuard) with ESMTP id 4PY04K2Sfwz9xHMn; Fri, 10 Mar 2023 16:45:21 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwDnbmUy8ApkK+yFAQ--.17497S3; Fri, 10 Mar 2023 09:54:24 +0100 (CET) From: Roberto Sassu To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Roberto Sassu Subject: [PATCH v4 1/3] security: Introduce LSM_ORDER_LAST and set it for the integrity LSM Date: Fri, 10 Mar 2023 09:53:59 +0100 Message-Id: <20230310085401.1964889-2-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230310085401.1964889-1-roberto.sassu@huaweicloud.com> References: <20230310085401.1964889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwDnbmUy8ApkK+yFAQ--.17497S3 X-Coremail-Antispam: 1UD129KBjvJXoWxury7WFWfZw13Kry7JrW7CFg_yoW5Aw45pa yDtFWxGr18AFWru3ZrC3ZIk3WrK395CFy7GrZ8Ww1DAa95Zry0vr1SyryakFyUXFyqyF1I yF4avr4ak3WDA3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBjb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUGw A2048vs2IY020Ec7CjxVAFwI0_Gr0_Xr1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 JVW8Jr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCF04k20xvY0x0EwI xGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480 Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7 IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k2 6cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07jn9N3UUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAMBF1jj4pqNwAAsv X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759971659113771950?= X-GMAIL-MSGID: =?utf-8?q?1759971659113771950?= From: Roberto Sassu Introduce LSM_ORDER_LAST, to satisfy the requirement of LSMs needing to be last, e.g. the 'integrity' LSM, without changing the kernel command line or configuration. Also, set this order for the 'integrity' LSM. While not enforced, this is the only LSM expected to use it. Similarly to LSM_ORDER_FIRST, LSMs with LSM_ORDER_LAST are always enabled and put at the end of the LSM list, if selected in the kernel configuration. Setting one of these orders alone, does not cause the LSMs to be selected and compiled built-in in the kernel. Finally, for LSM_ORDER_MUTABLE LSMs, set the found variable to true if an LSM is found, regardless of its order. In this way, the kernel would not wrongly report that the LSM is not built-in in the kernel if its order is LSM_ORDER_LAST. Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection") Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar --- include/linux/lsm_hooks.h | 1 + security/integrity/iint.c | 1 + security/security.c | 12 +++++++++--- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 6e156d2acff..c55761d93a2 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1716,6 +1716,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, enum lsm_order { LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ LSM_ORDER_MUTABLE = 0, + LSM_ORDER_LAST = 1, /* This is only for integrity. */ }; struct lsm_info { diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 8638976f799..b97eb59e0e3 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -182,6 +182,7 @@ static int __init integrity_iintcache_init(void) DEFINE_LSM(integrity) = { .name = "integrity", .init = integrity_iintcache_init, + .order = LSM_ORDER_LAST, }; diff --git a/security/security.c b/security/security.c index cf6cc576736..2f36229d5b6 100644 --- a/security/security.c +++ b/security/security.c @@ -284,9 +284,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) bool found = false; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (lsm->order == LSM_ORDER_MUTABLE && - strcmp(lsm->name, name) == 0) { - append_ordered_lsm(lsm, origin); + if (strcmp(lsm->name, name) == 0) { + if (lsm->order == LSM_ORDER_MUTABLE) + append_ordered_lsm(lsm, origin); found = true; } } @@ -306,6 +306,12 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) } } + /* LSM_ORDER_LAST is always last. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (lsm->order == LSM_ORDER_LAST) + append_ordered_lsm(lsm, " last"); + } + /* Disable all LSMs not in the ordered list. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if (exists_ordered_lsm(lsm)) From patchwork Fri Mar 10 08:54:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 67284 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp761769wrd; Fri, 10 Mar 2023 01:03:36 -0800 (PST) X-Google-Smtp-Source: AK7set9QgR02tg/nOy2nOOIY0eFOU9x8BEubV7xe873No8CFyuGOL3lEDX+8km+H6J8HyGfzlhGF X-Received: by 2002:a17:902:ec91:b0:19b:2332:18cb with SMTP id x17-20020a170902ec9100b0019b233218cbmr30881325plg.1.1678439016450; Fri, 10 Mar 2023 01:03:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678439016; cv=none; d=google.com; s=arc-20160816; b=L0u3Ma2v8LbIlA3rwRORar5Vhpk4Ux/ulrgUXmChQqAfr87G1GEnazNHeMoIWRRKS5 hxOWCFPcPgqqecmScqfPQ1vjX+sT1O95r5C7bOZmlbAmkqmwSK8GKeH1ruavZ7/+xmGw s9a1C82mxdSBB6zGSJAngRYhCz8wUpuYzcKYUhSgn4F42AIqeB9nICoIgPbcG69fq5cW TY/KErWR47HFaLEVlLezzujIGkqTDKpeWr7kA7qnsy5SbPqsJHajEDWXLKyd40ikFs8o KCr3Mu3KKUDQs3Jtpnfy1Gl3RLsi7NcXs1OVNqL8RrgNmc5E0uC6UcGlVD5UliQsNxhz 57Ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=aci83d5TIWnMrZcGgYtZfJMcuYU+wphA+giIPd1SiBo=; b=m4YvQLfHImdTmLhGBSHgwi27uDsj7CAZ5ECOtWQBP9wu8Yi0LWt5tEyrmyoz8CxfQe qgsQaxBmwQMMOIiUNGJFu6GbzZ4cbu6i1xzrTURL6jFzT5tTZCPHlwcksnyXPwM4lRRP S46a+3mMYudEf8AjJG73dMfx0cOez2pVALnMeJkCn6O9Eg3oBvxfMpcWg5HpJvKIuh1Q lAuZ6xQXyAmFtRlTSf5a7J4HvdKUgzr72LitUmZK4+Ht8H4v96KDaeQCCVpzlh1Bo8uP oAx8XScCtUPTL+5lXZMwYL5gsX+c5Fjii0M4k7MvvG9bSSg4Z2W9E3/IufhI1e8StcIm unTg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lc12-20020a170902fa8c00b0019a66cb2194si1648340plb.101.2023.03.10.01.03.23; Fri, 10 Mar 2023 01:03:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230181AbjCJJBn (ORCPT + 99 others); Fri, 10 Mar 2023 04:01:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231392AbjCJJA4 (ORCPT ); Fri, 10 Mar 2023 04:00:56 -0500 Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com [14.137.139.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03F882CFCE; Fri, 10 Mar 2023 00:54:48 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.229]) by frasgout12.his.huawei.com (SkyGuard) with ESMTP id 4PY04R49Ggz9xHN6; Fri, 10 Mar 2023 16:45:27 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwDnbmUy8ApkK+yFAQ--.17497S4; Fri, 10 Mar 2023 09:54:31 +0100 (CET) From: Roberto Sassu To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Roberto Sassu Subject: [PATCH v4 2/3] Revert "integrity: double check iint_cache was initialized" Date: Fri, 10 Mar 2023 09:54:00 +0100 Message-Id: <20230310085401.1964889-3-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230310085401.1964889-1-roberto.sassu@huaweicloud.com> References: <20230310085401.1964889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwDnbmUy8ApkK+yFAQ--.17497S4 X-Coremail-Antispam: 1UD129KBjvJXoW7uF4rAFWkGw4DZr43AF4DXFb_yoW8GrWxpF 42gayUGr1UZFW0ka1vya45uaySk392gry5Wws8Gr97Aas8Zr1jqFs8KryUXFy5WrWFyw1S qrn09r4Uu3Wqyr7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBjb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUXw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 JVW8Jr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCF04k20xvY0x0EwI xGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480 Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7 IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k2 6cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UC9aPUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAMBF1jj4ZsBQAAsU X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759970869993086226?= X-GMAIL-MSGID: =?utf-8?q?1759970869993086226?= From: Roberto Sassu With the recent introduction of LSM_ORDER_LAST, the 'integrity' LSM is always initialized (if selected in the kernel configuration) and the iint_cache is always created (the kernel panics on error). Thus, the additional check of iint_cache in integrity_inode_get() is no longer necessary. If the 'integrity' LSM is not selected in the kernel configuration, integrity_inode_get() just returns NULL. This reverts commit 92063f3ca73aab794bd5408d3361fd5b5ea33079. Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar --- security/integrity/iint.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/security/integrity/iint.c b/security/integrity/iint.c index b97eb59e0e3..c73858e8c6d 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -98,14 +98,6 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) struct rb_node *node, *parent = NULL; struct integrity_iint_cache *iint, *test_iint; - /* - * The integrity's "iint_cache" is initialized at security_init(), - * unless it is not included in the ordered list of LSMs enabled - * on the boot command line. - */ - if (!iint_cache) - panic("%s: lsm=integrity required.\n", __func__); - iint = integrity_iint_find(inode); if (iint) return iint; From patchwork Fri Mar 10 08:54:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 67286 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp765853wrd; Fri, 10 Mar 2023 01:14:30 -0800 (PST) X-Google-Smtp-Source: AK7set9iJJQHl/V1Vi9+vW9+ZAizJP5ss3RgjmPIf96QKxlSBtnhHs7PzXuXi5qfwWlR+hIPmoCD X-Received: by 2002:a62:1c89:0:b0:5a9:d5c7:199a with SMTP id c131-20020a621c89000000b005a9d5c7199amr17226589pfc.8.1678439670187; Fri, 10 Mar 2023 01:14:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678439670; cv=none; d=google.com; s=arc-20160816; b=X9VPyeYZS4xCUacxDMmAi5ID5ypZ0JiHPp8P+hlEWuRIFl6MSBykfgCZiaWeu0OuxN 6AptFHSr5LliZikgJZ9UW1jfHICva5NEjhF1AvRY9AcRcC2HfQBPWDc981nFwxm0sIpX mP+8DJ1bzzf1fo5SzngjEFjUswZF/N2HYhl76gzlJ2wGGO0ET50vlcYcQLlJsWW5OUGT 6rbvAUogC4T+c1hHBrzFPzBiXGKfzi+f8ywYeiKeknk+c4WVtxZHPLwfXfmC3JMgM1JS YQBkVHnsBDdOrfbBQ9kJuQg8xJly089QtJ9BYlosh5QVsIPHrWyn2VscFaBcomJ1Vfxe LNZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=afCnuNVIcS+ZwUHy6+UWLeSfNfKKqm9cafmfC31IjTs=; b=V6Y4m4PSUad6BXEztv5fzcxhuHrxigt2DwbaTG5ouf3sABUXUsM1Xdn8N1KMFamHXW Lr3RqcTiIGhzl8wJdAAXV0zOwpYWlalQJWkS3SpuofrDlCe9dn+HbCtwlouQTbw86OhK o1ONMojOnwQNPlwpF0lyJaHYQ0PpeDcR6MeUoTMhccXSVkSkqYyK4tIrKHf1SiVGdoXb zHQylaJ8BEuGMyXAjfL1Cjofh5PMwu2TIlDiyahu6iF0dQGYrdphr0YeL7HQAGeJ+Osj YPzOuxqnKbKaHTgYDv198+MHBPFSAwBvbIewLTBxuFSDtbq9BrbLgHGCQzUDYlEHPJeF fBcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z11-20020a6552cb000000b004e63b6b399esi1482229pgp.570.2023.03.10.01.14.17; Fri, 10 Mar 2023 01:14:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231394AbjCJJCA (ORCPT + 99 others); Fri, 10 Mar 2023 04:02:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229876AbjCJJA5 (ORCPT ); Fri, 10 Mar 2023 04:00:57 -0500 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D8DB10E278; Fri, 10 Mar 2023 00:54:55 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.227]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4PY0593rGsz9v7H9; Fri, 10 Mar 2023 16:46:05 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwDnbmUy8ApkK+yFAQ--.17497S5; Fri, 10 Mar 2023 09:54:37 +0100 (CET) From: Roberto Sassu To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Roberto Sassu Subject: [PATCH v4 3/3] security: Remove integrity from the LSM list in Kconfig Date: Fri, 10 Mar 2023 09:54:01 +0100 Message-Id: <20230310085401.1964889-4-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230310085401.1964889-1-roberto.sassu@huaweicloud.com> References: <20230310085401.1964889-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwDnbmUy8ApkK+yFAQ--.17497S5 X-Coremail-Antispam: 1UD129KBjvJXoW7tFykCF13uw4rJw4xWr18Grg_yoW8Kr1fpF srKay7trnrZFyF9r4DWrnxCFyxC3s5Wr98Cay3WF4DKa43Aa4qqrsrKr15CFy5Wrs7AFZ8 Gryagw1a93ZFgFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBjb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUWw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 JVW8Jr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCF04k20xvY0x0EwI xGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480 Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7 IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k2 6cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UAkuxUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAMBF1jj4ZsBQABsV X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759971555544219843?= X-GMAIL-MSGID: =?utf-8?q?1759971555544219843?= From: Roberto Sassu Remove 'integrity' from the list of LSMs in Kconfig, as it is no longer necessary. Since the recent change (set order to LSM_ORDER_LAST), the 'integrity' LSM is always enabled (if selected in the kernel configuration). Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar b --- security/Kconfig | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index e6db09a779b..1699dda6821 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -246,15 +246,17 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" help A comma-separated list of LSMs, in initialization order. - Any LSMs left off this list will be ignored. This can be - controlled at boot with the "lsm=" parameter. + Any LSMs left off this list, except for those with order + LSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabled + if selected in the kernel configuration, will be ignored. + This can be controlled at boot with the "lsm=" parameter. If unsure, leave this as the default.